Cloudflare’s claims its new DNS resolver will provide enhanced privacy for users, but it is unclear how much different the service will be from competing resolvers.

Cloudflare introduced its 1.1.1.1 DNS resolver service and immediately went on the attack against data collection practices by internet service providers (ISPs).

“By default, your ISP, every Wi-Fi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them,” Matthew Prince, CEO and co-founder of Cloudflare, wrote in a blog post. He added that laws banning ISPs from selling that data have been revoked. “With all the concern over the data that companies like Facebook and Google are collecting on you, it worries us to now add ISPs like Comcast, Time Warner, and AT&T to the list. And, make no mistake, this isn’t a U.S.-only problem — ISPs around the world see the same privacy-invading opportunity.”

But ISPs weren’t Cloudflare’s only target. On the official 1.1.1.1 DNS landing page, Cloudflare noted: “Creepily, some DNS providers sell data about your internet activity or use it [to] target you with ads.”

Cloudflare did not directly mention which DNS providers engage in these “creepy” practices, but promised it would be better.

“We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours,” Prince wrote. “Cloudflare’s business has never been built around tracking users or selling advertising. We don’t see personal data as an asset; we see it as a toxic asset.”

Nick Sullivan, head of cryptography at Cloudflare, told SearchSecurity that a big difference between 1.1.1.1 DNS and ISPs or competing DNS services is that Cloudflare has “a very robust pro-user privacy policy.”

“Usually, the ISP supplies the resolver and then sells the traffic data to advertisers. Instead of routing through your ISP resolver, the 1.1.1.1 DNS resolver is running on every Cloudflare metal,” Sullivan said. “Because Cloudflare provides DNS service for a DNS root server and for 7 million domains, DNS will be instant to resolve for most sites on the internet because the answers are sitting on the same service as the resolver.”

However, Sullivan did not say how the Cloudflare resolver alone could meaningfully hide traffic from ISPs.

Comparing CloudFlare’s 1.1.1.1 DNS to the competition

Despite Cloudflare’s language against tracking practices of ISPs, it is also unclear if the 1.1.1.1 DNS resolver can completely mitigate that issue. Prince’s blog post mentioned DNS-over-TLS and DNS-over-HTTPS, both of which are supported by the 1.1.1.1 DNS resolver, but did not directly connect those features to ISP privacy. Prince acknowledged that Google’s DNS service was the only major resolver supporting DNS-over-HTTPS, but noted that “non-Chrome browsers and non-Android operating systems have been reluctant to build a service that sends data to a competitor.”

“DNS inherently is unencrypted so it leaks data to anyone who’s monitoring your network connection. While that’s harder to monitor for someone like your ISP than if they run the DNS resolver themselves, it’s still not secure,” Prince wrote. “What’s needed is a move to a new, modern protocol. There are a couple of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers and new technologies like server HTTP/2 Server Push.”

However, experts have pointed out that “supporting” these transport security protocols is not the same as implementing, because both require implementation by the DNS client talking to the DNS resolver.

Sean Webb, co-founder of HardenedBSD, security-enhanced fork of the FreeBSD operating system, noted that “if you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext,” and some ISPs have been known to hijack those requests.

By using CloudFlare’s DNS service, not only are you giving both your ISP and CloudFlare your DNS data, but any hop in between now.

Additionally, Cloudflare’s claim that its 1.1.1.1 DNS resolver does not permanently log IP addresses seems to be intended to differentiate its policies from competing DNS offerings, but when comparing it to the privacy claims in the Google’s Public DNS FAQ, the language appears very similar.

“The temporary logs store the full IP address of the machine you’re using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours,” Google wrote in its privacy FAQ. “In the permanent logs, we don’t keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.”

Google also promises it will not use its Public DNS to serve ads.

The APNIC in the room

Another piece of the data storage puzzle with 1.1.1.1 DNS is the research partnership between Cloudflare and the Asia Pacific Network Information Centre (APNIC) — the regional internet registry that hands out IP addresses in the Asia Pacific region and owns the 1.1.1.1 IP address.

The partnership is scheduled to last for five years at which point the two organizations will renew the partnership or APNIC may choose to “permanently allocate” the 1.1.1.1 address to Cloudflare.

However, while Cloudflare has been explicit about not storing traffic data for longer than 24 hours, APNIC was vaguer in its data storage timetable.

“We are committed to treat all data with due care and attention to personal privacy and wish to minimize the potential problems of data leaks. We will be destroying all ‘raw’ DNS data as soon as we have performed statistical analysis on the data flow,” Geoff Huston, chief scientist at APNIC, wrote in its announcement. “We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.”